CVE-2021-22135
Document Disclosure vulnerability in elasticsearch (Maven)
What is CVE-2021-22135 About?
This document disclosure flaw in Elasticsearch versions before 7.11.2 and 6.8.15 affects the suggester and profile API when Document and Field Level Security are enabled. It allows attackers to determine the existence of documents and fields they should not be able to view. Exploitation involves specific queries that can bypass security settings.
Affected Software
- org.elasticsearch:elasticsearch
- >7.0.0, <7.11.2
- <6.8.15
Technical Details
The vulnerability exists in Elasticsearch versions prior to 7.11.2 and 6.8.15, specifically within the suggester and profile APIs. Even when Document and Field Level Security (FLS/DLS) are enabled, which should restrict access to certain documents and fields, these APIs can be manipulated. Normally, the suggester and profile API are disabled when DLS is active. However, certain crafted queries can force the enabling of the profiler and suggester functionalities. When these functionalities are enabled, they can inadvertently disclose the existence of documents and fields to an attacker, even if the attacker does not have explicit read privileges to their content, thereby bypassing the intended DLS/FLS protections.
What is the Impact of CVE-2021-22135?
Successful exploitation may allow attackers to gain unauthorized knowledge of the existence of documents and fields within the database, potentially revealing sensitive data structures and data presence to unprivileged users.
What is the Exploitability of CVE-2021-22135?
Exploitation of this vulnerability requires an attacker to submit specific queries to the Elasticsearch suggester or profile API. While no authentication is explicitly stated as a prerequisite for querying these APIs, the context typically implies some level of authenticated access to Elasticsearch. Privilege requirements would be for a user with limited or no access to certain documents/fields but who can still interact with the API. This vulnerability is likely remotely exploitable if the Elasticsearch instance is exposed. The complexity lies in crafting the specific queries that illicitly enable the vulnerable API functionalities and bypass FLS/DLS.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-22135?
Available Upgrade Options
- org.elasticsearch:elasticsearch
- <6.8.15 → Upgrade to 6.8.15
- org.elasticsearch:elasticsearch
- >7.0.0, <7.11.2 → Upgrade to 7.11.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125
- https://osv.dev/vulnerability/GHSA-62ww-4p3p-7fhj
- https://nvd.nist.gov/vuln/detail/CVE-2021-22135
- https://security.netapp.com/advisory/ntap-20210625-0003/
- https://security.netapp.com/advisory/ntap-20210625-0003
- https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125
What are Similar Vulnerabilities to CVE-2021-22135?
Similar Vulnerabilities: CVE-2020-7013 , CVE-2019-7609 , CVE-2019-17355 , CVE-2018-3603 , CVE-2017-0248
